[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Transition from 2535 to opt-in
Hi Roy, Mark & David
I think that the transition issues need some attention in
draft-ietf-dnsext-dnssec-opt-in.
I am afraid that an RFC2535 verifiers (not opt-in aware) will not be
able to see the non secured part of an opt-in zone.
An example of that:
Assume my RFC 2535 verifier is configured to use "example." as a root
of security (Trusted-key in named.conf speak) or more general the zone
is marked secure by it's parent.
If I do a query for QNAME=unsigned.example QTYPE=mx I will get an answer
as in your's example A.1:
RCODE=NOERROR
Answer Section:
UNSECURE.EXAMPLE. MX ...
Authority Section:
SECOND-SECURE.EXAMPLE. NXT EXAMPLE. NS SIG KEY
SECOND-SECURE.EXAMPLE. SIG NXT ...
Additional Section:
EXAMPLE. KEY ...
EXAMPLE. SIG KEY ...
Since there is no SIG on unsecure.example I must mark this RR as BAD
and discard it. Hence all unsecured records are not visible to an
RFC2535 verifier.
As for possible transition scenarios I am afraid that there is no
smooth transition possible; it seems to be a 'flag-date' thing.
--Olaf
---------------------------------------------------------------------
Olaf M. Kolkman | RIPE NCC DISI Project
----------- | --------------- ----------------
RIPE NCC | Phone: +31 20 535 4444 |
Singel 258 | Fax: +31 20 535 4445 |
1016 AB Amsterdam | http://www.ripe.net/disi |
The Netherlands | OKolkman@ripe.net |
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.